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(57) ABSTRACT 

A method of the Virtual Private Network (VPN) communi- 
cation employed for a security gateway apparatus and the 
security gateway apparatus using the same, which allow a 
personal computer outside a local area network (LAN) to 
access, via a WAN, to a terminal on the LAN, virtually 
regarding the outside PC as a terminal on the LAN. The 
communication method is employed for a security gateway 
apparatus to connect, through concentration and conversion 
process, between a LAN-and a WAN including a public 
network. Security Architecture for the^ Internet Protocol 
(IPsec) establishes VPN with an outside PC having a dialup 
connection to the WAN. During an Internet Key Exchange 
(IKE) communication that is performed prior to the IPsec 
communication, the security gateway apparatus integrates a 
Dynamic Host Configuration Protocol (DHCP) communi- 
cation option into an IKE data, ano/designates the IP address 
of the outside PC from a tunneled IP packet. 
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FIG. 1 
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FIG. 2 
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FIG. 3 
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FIG. 4 
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FIG. 5 PRIOR ART 
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FIG. 6 PRIOR ART 
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FIG. 7 PRIOR ART 
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FIG. 8 PRIOR ART 


Encapsulating 
^ 


IP address : B 
103 


B 

A 

C 

A 

Data - | 


IP address: A 



IP address :C 


10/22/2003, EAST Version: 1.4.1 


US 2001/0020273 Al 


1 


Sep. 6, 2001 


METHOD OF VIRTUAL PRIVATE NETWORK 
COMMUNICATION IN SECURITY GATEWAY 
APPARATUS AND SECURITY GATEWAY 
APPARATUS USING THE SAME 

FIELD OF THE INVENTION 

[0001] The present invention relates to a method o f virtua l 
private-network:(VP>0^cornl^ 

way- apparatus and? security gateway apparatus using the 
same. More particularly, this method and apparatus are used 
in a network environment configured b y_ security-gateway— J 
ap paratus-conn ectingXlbcal.^ including 
a plurality of terminal devices, a nd-a-wide~a rea~networ£3 
(WAN)-typified-by-a-public 2networ k. In such a network 
environm ent, th ^VPN-commu nication3nethodzallowsza 
termmal-d evice-Qutside-a-LAN-t o-com municate-with'H he^? 
security-gatewayjjp params-via-a-W AN^ 7 

BACKGROUND OF THE INVENTION 

[0002] In recent years, the widespread proliferation of the 
Internet access has brought many PCs into various busi- 
nesses or even individual households, and such PCs often 
communicate with each other on a local area network (LAN) 
for more effective use. When a LAN configured by some 
PCs is connected to the Internet, a gateway apparatus that 
connects a LAN and a WAN is required. 

[0003] To access a terminal on a LAN from a PC outside 
the LAN, the PC firstly needs to establish a dialup connec- 
tion with the provider that the PC signs on, then to access the 
terminal, for example, a PC on the LAN via a WAN. 

[0004] However, packets transmitted through a WAN are 
not basically safeguarded. Intercepted such packets by 
eavesdroppers, there would be a fear of making bad use of 
sensitive information. 


[0005] A'sec^tyjgateway-apparat usconnectin gthe-WAN^ 

(anoHhe_^ANrneed:to:be"used-tbZprote 

jfrom unauthorized access and provide data secunty?It is also 
required that thTPC, which has a dialup connection with the 
WAN, is equipped with a communication protocol stack for 
data security. In this way, it makes possible to realize a 
? virtual private line environment on a WAN, byiestablisMng' 
;the ~VPN-cx)mmu njcj itfo^ 

4AN : anja^he^eaS 

[0006] Currently, typically used communication protocol 
for the VPN communication is Security Architecture for the 
Internet Protocol (IPsec). 

[0007] Now will be described the overview of the VPN 
communication employing IPsec, referring to FIG. 5. FIG. 
5 is a block diagram of a typical network system including 
a WAN. 

[0008] The network system comprises, as shown in FIG. 
5, PC 101, which is located outside the LAN, establishing a 
dialup connection to the provider, WAN 102, and security 
gateway 103 that connects WAN 102 and LAN 104 for line 
connection and conversion processing. 

[0009] LAN 104 being subjected to security gateway 103 
includes server terminal 105 and client PCs 106, 10J. 

[0010] Besides, in orde r to perform the IPsec c ommu m-cr~~ 
cation, OTNlOS.is^estaBlished betweeoPC^IOl^aFd security — | 
<gateway^l03> 


[0011] When PC 101 establishes a dialup connection to the 
provider and accesses to a terminal on LAN 104, YPN-1083 7 
w^-bc-cstablishedlbety^r rPC~lQ l and ^cunt ygatejvlffi 
103, w^~alvktual:privateZline"environrn^trachievedIo7 
WAN> 102. This environment protects information 
exchanged on WAN 102 from interception or alteration, 
ensuring safety communication between PC 101 and the 
terminal on LAN 104. 

[0012] Now will be described the outline of required 
information for performing the IPsec communication, refer- 
ring to FIG. 6. FIG. 6 illustrates a state of WAN connection. 

[0013] PC 101, WAN 102, and security gateway 103 are 
the same as those described in FIG. 5. 

[0014] In order to perform IPsec communication between 
PC 101 and security gateway 103, the followings have to be 
shared with the both sides prior to IP sec communication. 

[0015] 1) data security; 

[0016] 2) countermeasures against making alter- 
ations to transmitting data by avoiding to use a fixed 
logical communication path; 

[0017] 3) encrypting algorithm that protects data to 
be transmitted from alteration; 

[0018] 4) key information used for authentication 
algorithm. 

[0019] There are two methods of sharing key information 
on both sides of communication partners: (1) setting the key 
information manually on both sides prior to communication, 
and (2) setting the key information automatically with the 
Internet Key Exchange (IKE) protocol on initiating com- 
munication. 

[0020] Hereinafter will be focused on the latter method, 
which is practically used in actual communication. 

[0021] The IPsec communication will be described with 
reference to FIG. 7. FIG. 7 is a flow diagram that illustrates 
the working of security gateway 103 for starting the IPsec 
communication. 

[0022] To perform the IPsec communication, it is neces- 
sary to establish Security Association (SA) that is a two-way 
logical connection between the both sides. For that reason, 
the IKE communication has two phases. 

[0023] Phase 1 is to establish IKE-SA for performing the 
IKE communication with safety (Sll, S12). With the con- 
nection established successfully, phase 2 will be in active for 
exchanging security information including key information 
for the IPsec communication (S13). 

[0024] When IPsec-SA is successfully established (S14) in 
phase 2, the IKE communication is over then IPsec com- 
munication initiates.(S15). 

"[0025] The table below shows the information to be 
exchanged between the both sides, in phase 2 of IKE 
communication (indicated by S13 in the description above.) 
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TABLE 1 


Detail 


Security Protocol 

IPsec communication mode 
Encryption algorithm 
Encryption key 
Authentication algorithm 
Authentication key 
SA life time format 
SA life time 


Encapsulating Security Payload (ESP) 
/Authentication Header (AH) 
Tunne l mode/Transport mode 
Must in ESP 

Must in AH, May be selected in ESP 
Data amount (Byte)/hour 


[0026] As for the operating mode (IPsec communication 
mode), security gateway 103 is in active in the tunnel mode 
(encapsulating whole IP packets) only. In the explanation 
below, the IPsec operating mode is assumed to be the tunnel 
mode. 

[0027] FIG. 8 schematically illustrates of the IPsec com- 
munication in the tunnel mode. In FIG. 8, PC 101, security 
gateway 103, LAN 104, client PC 106, and VPN 108 are the 
same as those illustrated in FIG. 5. IP packet 100 is handled 
in this system. 

[0028] In FIG. 8, suppose that IP addresses "A", "B", and 
"C" are assigned to PC 101, security gateway 103, and client 
PC 106, respectively. I P address "A^ -assig ned to PC 101"i$ ^ 
provid ed' from"me~pTovider.~> 

[0029] When client PC 106 on LAN 104 transmits an IP^ 
packet to PC 101, wh icrrhas established co nnection withTPC? 
10fr via-VPN -108;i? 

[0030] 1) clientj^l06-g enerates-ff ;p 

which the^sendeVs I P address is j^C^a^^tj^receivj: 

eTsrIP^address3i^"A"^^ 
fgateway-103;' 


[0031] 2) received packet 100, gateNyay l03:idejit%s f 
thaHhejpacket jslthe .one4o -be sent~to 5G401-whicfi 
/has established YPN:108; 

[0032] 3) gateway 103 encapsulates IP packet 100 
according to exchanged information during the IKE 
communication; 

[0033] 4) the IP header including the sender's IP 
address B and the receiver's IP address "A" is added 
to outside the originally set IP address; @ 

[0034] 5) authentication information is added to the 
encapsulated IP packet based on the exchanged 
information, then the IP packet is encrypted; 

[0035] 6) received the encapsulated packet via VPN 
108, ^PC 101 retrieves encapsulated original IP 
packet 100 from the received packet, according to 
the exchanged information, then process it. 

[0036] The VPN communication method in the prior-art 
security gateway apparatus assures safety of data exchang- 
ing on WAN 102. However, an access from outside of the 
LAN is treated as the access from an outside network. 

P 

[0037] The fact has brought an inconvenience or some 
security problems described below when a terminal outside 
the LAN tries to establish a dialup connection to the WAN 
and accesses to client PC 106 on LAN 104. 


[0038] 1) the security policy setting indicating 
acceptable/unacceptable access is required to PC 
106. For example, PC 106 needs an information 
setting by which PC 106 can determine which IP 
address is acceptable or which protocol service is 
unacceptable. 

[0039] 2) the setting described above has to be set 
each time an outside terminal accesses to a terminal 
on the LAN. Unless the setting procedures are per- 
formed completely, the security level could be 
degraded. 

[0040] 3) When the outside terminal accesses to a 
server on the LAN, even after the terminal has 
successfully established the IPsec communication 
with the gateway apparatus, the server needs another 
setting procedures for identifying the outside termi- 
nal and giving a permission to communicate with a 
terminal on the LAN. Like the security policy setting 
described above, the security level could be 
degraded unless the setting procedures are per- 
formed completely. 

[0041] Besides, if LAN 104 is a network configured with 
private IP addresses, the setting procedures would be 
extremely complicated. 

SUMMARY OF THE INVENTION 

[0042] The present invention addresses the problems 
above. It is therefore the object of the present invention to 
provide a VPN communication method in a security gate- 
way apparatus, allowing^-PC-o utside-a-L AN, virtually, 
regarded-as- arPCron^tfie-LANP'to commumcate~witti~ir 
^terminal on-thefLAN^ 

[0043] The present invention provides a VPN communi- 
cation method in a security gateway apparatus that connects, 
via line connection and conversion processing, between a 
LAN and a WAN that is typically configured by a public 
network. 

[0044] According to the present invention, during the 
procedure in which the IPsec protocol establishes the VPN 
communication between a security gateway apparatus and 
an outside PC having a dialup connection with a WAN, the 
security gateway apparatus integrates the Dynamic Host 
Configuration Protocol (DHCP) communication option into 
the IKE data during the IKE communication prior to the 
IPsec communication. Through the procedure, the security* 
gateway apparams^canrdesig^teZtf^ 
.o utsid^l cnnmariniaaunneled.iP^paclggt. jp 

[0045] In this^way, the present invention aUows an outside; 
te rmmal~to~ cymmunicate~with~a -tera^ by 
yirta^VTepr^j/^^ 
onnhejp^ly 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0046] FIG. 1 illustrates diagrammaticaliy an IPsec com- 
munication in accordance with a first preferred embodiment 
of the present invention. 

[0047] FIG. 2 is a flow chart indicative of the procedure 
in which a securitv-gateway-ap paratus-dist ribuj es an "IP7 
addressltpJan-OUtside-PC.v/" 
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[0048] FIG. 3 shows a data format for the IKE commu- 
nication used for the VPN communication method in the 
security gateway apparatus in accordance with the first 
preferred embodiment. 

[0049] FIG. 4 is a block diagram of the security gateway 
apparatus of the present invention. 

[0050] FIG. 5 shows a prior art typical network system 
including a WAN. 

[0051] FIG. 6 shows a prior art configuration in which an 
outside PC and the security gateway apparatus are connected 
via a WAN. 

[0052] FIG. 7 is a flow chart indicative of the working 
steps of the prior art security gateway apparatus to initiate 
the IPsec communication. 

[0053] FIG. 8 illustrates diagrammatically of the prior art 
IPsec communication in the tunnel mode. 

OF THE PREFERRED 


[0054] DESCRIPTION 
EMBODIMENTS 

[0055] The preferred embodiments of the present inven- 
tion are described hereinafter with reference to the accom- 
panying drawings, FIG. 1 through FIG. 3. 

[0056] First Preferred Embodiment 

[0057] FIG. 3 shows a data format for the IKE commu- 
nication used for the VPN communication method in the 
security gateway apparatus in accordance with the first 
preferred embodiment. 

[0058] The IKE communication is performed with User 
Datagram Protocol (UDP)/Internet Protocol (IP). As shown 
in FIG. 3, the IKE data is formed of the Internet Security 
Association and Key Management Protocol (ISAKMP) 
header and a series of the'ISAKMP payloads that follows the 
ISAKMP header. The IKE communicalion is performed 
between an mitiator-requesting key exchange, and=a=» 
responded respo^ding5to3the^-equ0St . 

[0059] According to the embodiment, FIG. 1 shows PC 
101 as an example of .anejrminaljg onnecting-the-Internet-via-T] 
a-proyjder. ~ & 

[0060] Serxed-asran-initiatSf,<:PCX101 imj iates~the~IKj y 
communication-with security-galewgy 203 in 'orderto~access 
cHent~PC-106^n^^T^15^OrrtheCother hand, security 
gateway~203 serves as a response r in the communication. ^ 

[0061] The communication is performed in the form of 
server/client model. As for the Encryption key and the 
Authentication key in the items listed in Table 1, key 
information is exchanged between the initiator and the 
responder, using a public key cryptosystem. As for the rest 
of the items, the initiator gives suggestions to the responder, 
and the responder responds to the initiator with the best 
among the suggestions. 

[0062] There are some pieces of information essential to 
PC 101 as a Dynamic Host Configuration Protocol (DHCP) 
client: (i) aVlP^dress^ii) a subnet mask; (iii) an^xpirltiorp 
datezofcthe'IP^addresst and (iv) a domain name. 


[0064] Of the four items, the expiration date of the IP 
address may be omitted from the option added to the IKE 
data, by regarding that the expiration date is equivalent to 
the SA life time that is established by the IKE communica- 
tion. 

[0065] DHCP is an application protocol positioned in the 
higher layer than UDP belongs to, so that it runs on the IKE 
without problems associated with resending control or other 
functions. 

[0066] FIG. 1 illustrates diagrammatically the IPsec com- 
munication in accordance with the first preferred embodi- 
ment of the present invention. 

[0067] The interconnection of PC 101, security gateway 
203, LAN 104, client PC 106, andvVPN:208-in FIG. 1 is the 
same as that of PC 101, security gateway 103, LAN 104, 
client PC 106, and VPN 108 in FIG. 5. 

[0068] In FIG. l/^supposerthatrlRaddresSes "B", and 
"C are assigned torRCiCS", security gateway 103, and client 
PC 106, respectively. x^J^ct^^^^^tQ^^las^ 
provjd ed^r6mahe"0rovide^ ^> o 

[0069] ^Seafotjqpae^^ 
^CilOlTdurmgitoe^H^icor^ 
^communication.^* 



[0063] Security-- gateway— 203p^which^ser Ves— as^the": 


responder-inthe-IKE communicationpadds thesefour items - 
to^horTrlally ^oTmell; ! 


[0070] ^^wdienrPe^ 

packet-to;;EC;:l0i-haw^ thj 
jransmission-is-performedfoUowi ng the:steps:bciow: 

[0071] 1) client PC 106 generates IP packet 209, in 
whjch-^sendej^^ 

(e^IPad p^^iTff^regardless of IP address "A" 
which is assigned to PCJXI^yJl^pjoWder.outside 
the LAN 104, and:tr¥rKmits^packer^09no*seWrity 
gateway;203; 

[0072] 2):rec€iyeaMhe^ac^^ 

identifies-that-the-packet is-the-one-to-be-sentjo^Pg? 
Cjtafwfi^^ encapsu- 
lates IP packet 209 according to exchanged infor- 
mation through IKE communication; < 

[0073] 3) the IP header including the sender's IP 
address "B" and the receiver's IP address "A" is 
added to outside the originally set IP address; p 

[0074] 4) authentication information is added to the 
encapsulated IP packet ba sed on Un exchanged 
information, thej^medP : packeHs-encrypted; 

[0075] 5) recejyeoMbrc^nwr^ 
jOSpPG-lOl-retrievps, from the received packet, 
encapsulated original IP packet 209 based on the 
exchanged information, then process it according to 
the obtained subnet mask and domain name during 
the IKE communication. 

[0076] FIG. 2 is a flow chart illustrating the procedure in 
which security gateway 203 establishes the IKE communi- 
cation and IPsec-Security Association (SA) connections to 
initiate the IPsec communication, and-distributeslP-'address* 

"D^to=peiofc=* 

[0077] Toq^oi^thTIPsec^c^mumcation, it is neces- 
sary to establish SA that is ^a^tw^y-^icji^^ 
b etween-the-both-sidg s. For that reason, the IKE communi- 
cation has two phases. 
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[0078] Phase 1 is to establish IKE-SA for performing the 
IKE communication with safety (SI, S2). With the connec- 
tion established successfully, phase 2 will be in active for 
exchanging security information including key information 
for the IPsec communication (S3). 

[0079] In phase 2rIPse c-SA- is-establishejd and the DHCP 
option is added to the IKE data (S4). 

[0080] Following the corimJtetig_Q:a£distribu^ 
gX^ttzRCztibl (S5), the IKE communication is over. 

[0081] Table 1 shows required information for the IPsec 
communication, which is exchanged between the both sides 
during the IKE (phase 2) communication in step S3. 

[0082] According to the embodiment, as described above, 
in the procedure that the^gateway-apparatusTestablishes-V^N' 
208=connection= > using the IPsec protocol, with=PG=101=^ 
having a dialup connection to WAN 102, the gateway 
apparatus integrates the DHCP communication option into 
the IKE data during the IKE communication prior to the 
IPsec communication. llMoligh-rae-pro<^sure^^ 
gaje^ay^ap paratus"ran;:d esign 

^commujiicAtior^--;^^ P 

[0083] When establishing the IPsec communication with 
outside PC 101 having a dialup connection with the WAN, 
security gateway 203 thus controls IP address "A" of the 
outside PC as the final destination. As an advantage, the need 
for setting of client PC 106 on LAN 104 can be eliminated 
in this procedure. 

[0084] This fact promises a highly safeguarded commu- 
nication without interception or alteration of transmitting 
information. 

[0085] Second Preferred Embodiment 

[0086] Here will be described the VPN communication 
method employed for the security gateway apparatus in 
accordance with the second preferred embodiment, referring 
to FIG. 1. 

[0087] During the distribution process of DHCP informa- 
tion to PC 101, securit^gatewa yj^disiri^ 
anJP-address; and a subnet mask having the same segment 
«as4hose-of4j\N:i04:controU^ 203. In 

this procedure, security gateway 203 serves as the responder, 
while PC 101 serves as the initiator in the IKE communi- 
cation. 

[0088] JnJheJBsecgg M^ 

M shmentfP~C r lffl , \^ch"taccesses^m:theroutside:ol'I^^ 
104, can-bchave.asif-being-a-s ^datoncl enninallhal'r^tfic^ 
"same~sj;gmcriC^ ' 
c ommun icaungiwithzctientirEC^ — ■ 
gateway-203. 


[0090] The fact that outside PC 101 which has established 
VPN 208 works as if being in the LAN 104 environment 
realizes the access from an outside terminal to a terminal on 
LAN 104 with security. 

[0091] Third Preferred Embodiment 

[0092] Now will be described the VPN communication 
method employed for the security gateway apparatus in 
accordance with the third preferred embodiment, referring to 
FIG. 1. 

[0093] In FIG. 1, the explanation is focused on the case, 
in which scg ujity=gateway=j(^e 
A4d>£SsJIg^ ccmfigures-LAN ; 
104 wlgr pnv^ 

[0094] In this case, an access from an outside terminal to 
client PC 106 on LAN 104 is usually not allowed. However, 
the following method makes it possible. 


[0095] First, £C~J01} having a dialup-.connection^estab 1 - 
plishes the IKE communicatior Twitb secu rity gate^fv 203 for 

During the IKE communication, ^ 
5ecurity'gateway'203-mtegratesa ^rivate-IP-address-mto-the^ > 
IKE~data as a DHCP~option. The^nyate^IEra^dress-is7a^7 I 
unuse d-one jphe^segmenQlg^ C. 
controlled-by-security-gateway-203r) 

[0096] Therpgateway 203rdistributes-the IKE data<to:R<^ 

[0097] Through this procedure ^CnOl-u sesraTgloblinK^ 
a0ress7ur^^2({81)^^ while/it ^manipulates-y 
pnvjtelj^ddr^ and ^de-PClO litself. This 

allows PC 101 to behave as if being a standalone terminal 
that has the "same" segment as a terminal on the network 
does. 

[0098] Recording to the embodiment, as described above, 
gateway;203:distxihu^^ 
technology, a-r^a^e-IFa^^ 

LAN 104 duringlhe IKE communication. The distribution 
procedure realizes the VPN communication in which a 
terminal outside the LAN is allowed to^e_accessible into the 
LAN 104 environment, whiefi3Sr^©»§gured-witr] i-private-TP* 
a^dr£sses. Thus, outsido-RC. 101. can accesslo JiieJLAN-104 
eavkoniBSg^ 
ftecurttyp 

[0099] Fourth Preferred Embodiment 

[0100] Now will be explained the security gateway appa- 
ratus employing the method described above of the embodi- 
ment, referring to FIG. 4. 

[0101] Gateway apparatus 203 includes DHCP option 
^adding section 212, IPsec communication section 214, IB 7 * 
? a ^ess^di strirmtioii:sectioji:216T I/O section 210 for WAN, 

and I/O section 218 for LAN. 



[0089] According t ojhe embod iment, as described above, 
se^urity-gateway-203-distributes-to-ECiOl, which accesses 
from outside the LAN 104 byj^sjablishin^ 
tion, a nTPaddres gjuyi a subnet mask which have the same 
segment as those used on LAN 104 controlled by security 
gateway 203 in the IKE communication ^This allows outside-^ ? 
^:10t:tr>virTuIuy^r^^^^ 
nicatioDLi. 


[0102] As described in the method in the first preferred 
embodiment, 


[0103] 1) DHCP option adding section 212 adds the 
DHCP option to the IKE data; 


[0104] 2) i£a3aresCTi^ 

ujes an^-address^iajJ/O section 210,^o:a:te£mirial^ 7 
having_a^dialup-connection-with-the-WAN; 
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[0105] 3) IPscc communication section 214 performs 
the IPscc communication, via I/O sections 210 and 
218, between the WAN and inside the LAN. 

[0106] Thus, according to the VPN communication 
method and the security gateway apparatus using the 
method, when establishing the IPsec communication with an 
outside PC having a dialup connection, the gateway appa- 
ratus can control the final destination IP address of the PC, 
therefore eliminating need for setting of the terminal on the 
LAN. This fact promises safeguarded communication. 

[0107] Besides, with the method and the apparatus, the 
outside PC establishing VPN is virtually regarded as another 
terminal on the LAN. This allows the outside PC to access 
to any terminal on the LAN with safety. 

[0108] Furthermore, the present invention makes possible 
that the outside PC accesses to a LAN environment that is 
configured with private IP addresses, with no degradation of 
security. 

What is claimed is: 

1. A Virtual Private Network (VPN) communication 
method employed for a security gateway apparatus connect- 
ing between a local area network (LAN) and a wide area 
network (WAN) including a public network, the communi- 
cation method comprising the steps of: 

a) adding a Dynamic Host Configuration Protocol 
(DHCP) communication option to an Internet Key 
Exchange (IKE) data, when establishing an IKE com- 
munication with a terminal outside the LAN having a 
dialup connection with the WAN; 

b) distributing an IP address to the terminal outside the 
LAN during the IKE communication; and 

c) establishing a Security Architecture for the Internet 
Protocol (IPsec) communication that follows the IKE 
communication, wherein the gateway apparatus desig- 
nates an IP address for the outside terminal from a 
tunneled IP packet. 

2. The VPN communication method employed for the 
security gateway apparatus as defined in claim 1, wherein an 
IP address and a subnet mask address, which have same 
segments as those of the LAN, are distributed to the outside 
terminal, thereby the outside terminal can be virtually 
regarded as a terminal on the LAN. 

3. The VPN communication method for the security 
gateway apparatus as defined in claim 1, wherein the outside 
terminal is provided, during the IKE communication, with a 
private IP address that is used on the LAN, in a case that the 


LAN is configured with private IP addresses, whereby the 
outside terminal is allowed to access to a terminal on the 
LAN. 

4. The VPN communication method for the security 
gateway apparatus according to any one of claims 1 through 
3, wherein an encryption key and an authentication key are 
exchanged with a public key cryptosystem during the IKE 
communication. 

5. The VPN communication method for the security 
gateway apparatus according to any one of claims 1 through 
3, wherein the DHCP communication option contains an IP 
address and a subnet mask. 

6. A security gateway apparatus connecting between a 
local area network (LAN) and a wide area network (WAN) 
including a public network, the apparatus comprising: 

a) a Dynamic Host Configuration Protocol (DHCP) 
option adding section adding a DHCP communication 
option to an IKE data when establishing an IKE com- 
munication with a terminal outside the LAN having a 
dialup connection with the WAN; 

b) an IP address distribution section distributing an IP 
address to the outside terminal during the IKE com- 
munication; and 

c) an IPsec communication section performing an IPsec 
communication that follows the IKE communication, 
wherein, the gateway apparatus designates an IP 
address for the outside terminal from a tunneled IP 
packet. 

7. The security gateway apparatus as defined in claim 6, 
wherein an IP address and a subnet mask address, which 
have same segments as those of the LAN, are distributed to 
the outside terminal, thereby the outside terminal can be 
virtually regarded as a terminal on the LAN. 

8. The security gateway apparatus as defined in claim 6, 
wherein the outside terminal is provided, during the IKE 
communication, with a private IP address which is the same 
as one used on the LAN in a case that the LAN is configured 
with private IP addresses, whereby the outside terminal is 
allowed to access to a terminal on the LAN. 

9. The security gateway apparatus according to any one of 
claims 6 through 8, wherein an encryption key and an 
authentication key are exchanged with a public key crypto- 
system during the IKE communication. 

10. The security gateway apparatus according to any one 
of claims 6 through 8, wherein the DHCP communication 
option contains an IP address and a subnet mask. 

***** 
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